Product Research Enterprise Plans Docs

PyPi: Stream-Zip

CVE-2023-45857

Transitive

Safety vulnerability ID: 65652

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 08, 2023 Updated at Aug 10, 2024

Scan your Python projects for vulnerabilities →

Advisory

Stream-zip version 0.0.71 updates its localtunnel dependency to version 2.0.2. This change is implemented to mitigate the security risks associated with the axios vulnerability CVE-2023-45857.
https://github.com/uktrade/stream-zip/pull/107/commits/4ac7d1037ed62f0095d7a91937a48e30bcc6acb2

Affected package

stream-zip

Latest version: 0.0.82

Python function to construct a ZIP archive with stream processing - without having to store the entire ZIP in memory or disk

Affected versions

Fixed versions

Vulnerability changelog

What's Changed

The main non-documentation change is the addition of an async interface via the `async_stream_zip` function.

* docs: suggest that the risk of high numbers of files in many situations is fine by michalc in https://github.com/uktrade/stream-zip/pull/99
* docs: add order of 0 to index/homepage by michalc in https://github.com/uktrade/stream-zip/pull/101
* build(deps): move to govuk-eleventy-plugin v6.0.3 by michalc in https://github.com/uktrade/stream-zip/pull/103
* docs: use system font, and fix layout of header by michalc in https://github.com/uktrade/stream-zip/pull/104
* docs: make logo a bit tighter by michalc in https://github.com/uktrade/stream-zip/pull/105
* docs: increase letter spacing/kerning in logo by michalc in https://github.com/uktrade/stream-zip/pull/106
* build(deps): pin localtunnel to avoid axios vulnerability by michalc in https://github.com/uktrade/stream-zip/pull/107
* build(deps): add rollup-linux-x64-gnu as optional dependency by michalc in https://github.com/uktrade/stream-zip/pull/108
* build(deps): fix package-lock.json by michalc in https://github.com/uktrade/stream-zip/pull/109
* docs: add links to footer by michalc in https://github.com/uktrade/stream-zip/pull/111
* docs: simplify async interface by michalc in https://github.com/uktrade/stream-zip/pull/112
* docs: use preferred function for getting event loop by michalc in https://github.com/uktrade/stream-zip/pull/113
* feat: async interface by michalc in https://github.com/uktrade/stream-zip/pull/114

**Full Changelog**: https://github.com/uktrade/stream-zip/compare/v0.0.70...v0.0.71

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45857

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): NONE
Availability Availability (A): NONE